U.S. patent application number 11/529828 was filed with the patent office on 2008-04-03 for tamper protection of software agents operating in a vt environment methods and apparatuses.
Invention is credited to David Durham, Hormuzd Khosravi, Ravi Sahita, Uday Savagaonkar.
Application Number | 20080082772 11/529828 |
Document ID | / |
Family ID | 38938381 |
Filed Date | 2008-04-03 |
United States Patent
Application |
20080082772 |
Kind Code |
A1 |
Savagaonkar; Uday ; et
al. |
April 3, 2008 |
Tamper protection of software agents operating in a VT environment
methods and apparatuses
Abstract
Methods, apparatuses, articles, and systems for comparing a
first security domain of a first memory page of a physical device
to a second security domain of a second memory page of the physical
device, the security domains being stored in one or more registers
of a processor of the physical device, are described herein. Based
on the comparison, the processor disallows an instruction from the
first memory page to access the second memory page if the first
security domain is different from the second security domain.
Resultantly, software agents, in particular, critical software
agents, may be protected in a VT environment more efficiently and
effectively.
Inventors: |
Savagaonkar; Uday;
(Beaverton, OR) ; Sahita; Ravi; (Beaverton,
OR) ; Durham; David; (Beaverton, OR) ;
Khosravi; Hormuzd; (Portland, OR) |
Correspondence
Address: |
SCHWABE, WILLIAMSON & WYATT, P.C.
PACWEST CENTER, SUITE 1900, 1211 S.W. FIFTH AVE.
PORTLAND
OR
97204
US
|
Family ID: |
38938381 |
Appl. No.: |
11/529828 |
Filed: |
September 29, 2006 |
Current U.S.
Class: |
711/163 ;
711/E12.097; 711/E12.102 |
Current CPC
Class: |
G06F 12/1491 20130101;
G06F 21/6218 20130101; G06F 2221/2141 20130101; G06F 21/79
20130101; G06F 21/54 20130101; G06F 12/145 20130101 |
Class at
Publication: |
711/163 |
International
Class: |
G06F 12/14 20060101
G06F012/14 |
Claims
1. A method comprising: storing a first security domain of a first
memory page of a physical device and a second security domain of a
second memory page of the physical device in registers of a
translation lookaside buffer of a processor of the physical device;
analyzing the first and second security domains of the first and
second memory pages when an instruction of the first memory page
attempts to reference or access the second memory page; and
disallowing the instruction from the first memory page to reference
or access the second memory page based at least in part on the
analysis of the first and second security domains.
2. The method of claim 1, wherein said storing comprises retrieving
the first and second security domains from the translation
lookaside buffer and storing the retrieved first and second
security domains in the registers of the translation lookaside
buffer, when the reference or access is attempted.
3. The method of claim 2, wherein the method further comprises
retrieving the first and second security domains from a page table
of a virtual machine manager of the physical device, and caching
the retrieved first and second security domains in the translation
lookaside buffer, and the page tables of the virtual machine
manager are extended page tables comprising: extended page table
pointer structures, each indicating whether a security domain has
been set for an associated memory page and features associated with
the security domain, and extended page table entry structures
storing security domains assigned to associated memory pages.
4. The method of claim 3, wherein bits from a plurality of extended
page table entry structures, at least some of the extended page
table entry structures having different nesting levels from each
other, may be used to store one security domain.
5. The method of claim 1, wherein the disallowing comprises causing
a page fault, and the instruction of the first memory page is
disallowed to reference or access the second memory page, if the
first security domain is different from the second security
domain.
6. The method of claim 1, wherein the method further comprises
determining whether the second memory page is a hidden memory page,
and the instruction of the first memory page is also disallowed to
reference or access the second memory page if the second memory
page is a hidden memory page.
7. The method of claim 6, wherein the method further comprises
determining whether the reference or access is a read or write
reference or access, and, if the second memory page is not a hidden
memory page, not disallowing the instruction to reference or access
the second memory page if the first security domain is different
from the second security domain and the reference or access is a
read reference or access, and disallowing the instruction to
reference or access the second memory page if the first security
domain is lower than the second security domain and the reference
or access is a write reference or access.
8. The method of claim 1, further comprising not disallowing the
instruction to reference or access the second memory page if the
reference or access is one of a jump or a call to an allowed
entrypoint of the second memory page, regardless of whether the
first security domain is different from the second security
domain.
9. The method of claim 1, further comprising not disallowing the
instruction to reference or access the second memory page if the
second security domain is not higher privileged than at least a
predetermined security domain.
10. The method of claim 1, wherein the second memory page stores a
critical operating system component, and the second security domain
is a supervisory security domain.
11. The method of claim 1, further comprising assigning, by a
security domain assignment service of a virtual machine manager of
the physical device, at least the first and second security
domains.
12. The method of claim 1, further comprising verifying integrity
of an agent of a virtual machine of the physical device allocated
with the first memory page by an integrity measurement module of a
virtual machine manager of the physical device.
13. A processor comprising: a translation lookaside buffer
including first and second registers to store first and second
security domains of first and second memory pages of a physical
device having the processor; and comparing logic coupled to the
translation lookaside buffer and adapted to compare the first
security domain of the first memory page to the second security
domain of the second memory page, the security domains having been
retrieved from the translation lookaside buffer, and not disallow
an instruction from the first memory page to reference or access
the second memory page if the first security domain is higher than
or equal to the second security domain.
14. The processor of claim 13, wherein the security domains stored
in the translation lookaside buffer were retrieved from pages
tables of a virtual machine manager of the physical device, and the
page tables of the virtual machine manager are extended page tables
comprising: extended page table pointer structures, each configured
to indicate whether a security domain has been set for an
associated memory page and features associated with the security
domain, and extended page table entry structures configured to
store security domains assigned to associated memory pages.
15. The processor of claim 13, wherein the comparing logic is
further adapted to cause a page fault, if the first security domain
is different from the second security domain, to disallow the
instruction to reference or access the second memory page.
16. The processor of claim 13, wherein the comparing logic is
further adapted to determine whether the second memory page is a
hidden memory page, and the instruction of the first memory page is
also disallowed to reference or access the second memory page if
the second memory page is a hidden memory page.
17. The processor of claim 16, wherein the comparing logic is
further adapted to determine whether the reference or access is a
read or write reference or access, and if the second memory page is
not a hidden memory page, not disallow the instruction to reference
or access the second memory page if the first security domain is
different from the second security domain and the reference or
access is a read reference or access, and disallow the instruction
to reference or access the second memory page if the first security
domain is different from the second security domain and the
reference or access is a write reference or access.
18. The processor of claim 13, wherein the comparing logic is
further adapted to not disallow the instruction to reference or
access the second memory page if the reference or access is one of
a jump or a call to an allowed entrypoint of the second memory
page, regardless of whether the first security domain is different
from the second security domain.
19. The processor of claim 13, wherein the second memory page
stores a critical operating system component, and the second
security domain of the second memory page is a supervisory security
domain.
20. The processor of claim 13, wherein a virtual machine manager of
the physical device having the processor, operated by the
processor, includes a security domain assignment service adapted to
assign at least the first and second security domains.
21. The processor of claim 13, wherein a virtual machine manager of
the physical device having the processor, operated by the
processor, includes an integrity management module adapted to
verify integrity of the first memory page.
22. An article of manufacture comprising: a storage medium; and a
plurality of programming instructions stored on the storage medium
and adapted to instantiate a security domain assignment service of
a virtual machine manager of a physical device to assign at least
first and second security domains to first and second memory pages
of the physical device, and store the assigned at least first and
second security domains in page tables of the virtual machine
manager, facilitating comparing logic of a processor of the
physical device in retrieving the at least first and second
security domains, the comparing logic comparing the first security
domain of the first memory page to the second security domain of
the second memory page, wherein an instruction of the first memory
page is attempting to reference or access the second memory page,
and the comparing logic not disallowing the instruction from the
first memory page to reference or access the second memory page if
the first security level is to the same as the second security
level.
23. The article of claim 22, wherein the page tables of the virtual
machine manager are extended page tables comprising: extended page
table pointer structures, each indicating whether a security domain
has been set for an associated memory page and features associated
with the security domain, and extended page table entry structures
storing security domains assigned to associated memory pages.
24. The article of claim 23, wherein the instructions are further
adapted to instantiate the security domain assignment service to
determine, for at least one of the at least first and second memory
pages, one or more features associated with the determined security
domain, and store the one or more features in an extended page
table pointer structure.
25. A system comprising: mass storage having stored therein at
least one critical operating system component program instantiable
into a critical operating system component agent; and a processor
coupled to the mass storage, the processor including a translation
lookaside buffer including first and second registers to store
first and second security domains of first and second memory pages
of the system, the second memory page having the critical operating
system component agent; and comparing logic coupled to the
translation lookaside buffer and adapted to compare the first
security domain of the first memory page to the second security
domain of the second memory page, the security domains having been
retrieved from the translation lookaside buffer, and not disallow
an instruction from the first memory page to access the second
memory page if the first security domain is the same as the second
security domain.
26. The system of claim 25, wherein the security domains stored in
the translation lookaside buffer were retrieved from pages tables
of a virtual machine manager of the system, and the page tables of
the virtual machine manager are extended page tables comprising:
extended page table pointer structures, each configured to indicate
whether a security domain has been set for an associated memory
page and features associated with the security domain, and extended
page table entry structures configured to store security domains
assigned to associated memory pages.
27. The system of claim 25, wherein the comparing logic is further
adapted to cause a page fault, if the first security domain is
different from the second security domain, to disallow the
instruction to reference or access the second memory page.
28. The system of claim 25, wherein the comparing logic is further
adapted to not disallow the instruction to reference or access the
second memory page if the reference or access is one of a jump or a
call to an allowed entrypoint of the second memory page, regardless
of whether the first security domain is different from the second
security domain.
29. The system of claim 25, wherein the second security domain of
the second memory page having the critical operating system
component agent is a supervisory security domain.
Description
TECHNICAL FIELD
[0001] Embodiments relate to the fields of data processing and
information assurance, in particular, to protecting software agents
operating in a virtual technology (VT) environment from tampering
by disallowing an instruction of a first memory page to access a
second memory page if the two pages do not belong to the same
protection domain.
BACKGROUND
[0002] Memory based attacks are a significant threat to the
security of information processing systems. Some such attacks
involve storing malicious code, such as a virus or a worm, in the
memory of a computer system, then exploiting bugs and/or buffer
overflows while running legitimate programs to transfer control to
the malicious code. One approach to preventing this type of attack
is to include an "execute disable" bit in a page table entry that
may be used to designate pages where data is stored as
non-executable, so that malicious code could not be stored as data
and subsequently executed within the same physical, linear or
logical memory space.
[0003] Additional approaches include using memory page tables to
store "color" attributes that are associated with agents
(reflective of their security and/or privilege domains) to
logically partition memory at a fine enough granularity to prevent
an agent of one color from accessing memory associated with
another. This approach, however, is limited to assigning relatively
few "colors" (and therefore relatively few security enclaves)
because of the limited number of bits available in page tables.
Further, advances in processor technology may eliminate the
availability of these bits as "color" indicators.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] Embodiments of the present invention will be described by
way of exemplary embodiments, but not limitations, illustrated in
the accompanying drawings in which like references denote similar
elements, and in which:
[0005] FIG. 1 illustrates an overview of various embodiments of the
present invention;
[0006] FIG. 2 illustrates a flow chart view of selected operations
of the methods of various embodiments of the present invention;
[0007] FIG. 3 illustrates exemplary extended page table structures
adapted to store memory page security domains in a logically
ordered fashion; and
[0008] FIG. 4 illustrates an example computer system suitable for
use to practice various embodiments of the present invention.
DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS
[0009] Illustrative embodiments of the present invention include,
but are not limited to, methods and apparatuses for comparing a
first security domain of a first memory page of a physical device
to a second security domain of a second memory page of the physical
device, with the security domains stored in one or more registers
of a processor of the physical device. Based on the comparison, the
processor disallows an instruction from the first memory page to
access the second memory page if the privilege domain of the first
security domain is different from that of the second security
domain. Resultantly, software agents, in particular, critical
software agents, may be protected in a VT environment more
efficiently and effectively.
[0010] Various aspects of the illustrative embodiments will be
described using terms commonly employed by those skilled in the art
to convey the substance of their work to others skilled in the art.
However, it will be apparent to those skilled in the art that
alternate embodiments may be practiced with only some of the
described aspects. For purposes of explanation, specific numbers,
materials, and configurations are set forth in order to provide a
thorough understanding of the illustrative embodiments. However, it
will be apparent to one skilled in the art that alternate
embodiments may be practiced without the specific details. In other
instances, well-known features are omitted or simplified in order
not to obscure the illustrative embodiments.
[0011] Further, various operations will be described as multiple
discrete operations, in turn, in a manner that is most helpful in
understanding the illustrative embodiments; however, the order of
description should not be construed as to imply that these
operations are necessarily order dependent. In particular, these
operations need not be performed in the order of presentation.
[0012] The phrase "in one embodiment" is used repeatedly. The
phrase generally does not refer to the same embodiment; however, it
may. The terms "comprising," "having," and "including" are
synonymous, unless the context dictates otherwise. The phrase "A/B"
means "A or B". The phrase "A and/or B" means "(A), (B), or (A and
B)". The phrase "at least one of A, B and C" means "(A), (B), (C),
(A and B), (A and C), (B and C) or (A, B and C)". The phrase "(A)
B" means "(B) or (A B)", that is, A is optional.
[0013] FIG. 1 illustrates an overview of various embodiments of the
present invention. As illustrated, comparing logic 120 of processor
116 may compare a security domain associated with a memory page
(allocated e.g. to agent 114) to a security domain of a second
memory page (that an instruction of agent 114 has attempted to
reference or access). Based on the results of the comparison, the
comparing logic 120 may either cause a page fault and disallow the
reference or access, or may not disallow the reference or access.
The security domains associated with the two memory pages may be
stored in the translation lookaside buffer (TLB) 118 of the
processor 116 of computing device 102, and copied into a previous
security domain (PSD) and a current security domain (CSD) register
122 of the processor 116 (when the two memory pages are the
previous and current memory pages in an attempted memory page
reference or access). The security domains may have been previously
assigned by a security domain assignment service 110 (e.g. of
virtual machine manager 104) and stored in page tables 108, used by
the virtual machine manager (VMM) 104 to translate guest physical
addresses of virtual machines 106 to host physical addresses of
processor 116 (prior to getting copied into TLB 118).
[0014] In various embodiments, the virtual machines (VM) 106 and
virtual machine manager 104 may be executed by the same or
different processor cores or processors of computing device 102,
such as processor 116, and may be stored in memory of computing
device 102, such as memory 124. The virtual machines 106 may
include programs and modules, such as agent 114 (which may be
either a program or a module of a program), and in one embodiment,
guest page tables (not shown). The virtual machine manager 104, in
addition to the earlier described page tables 108 and security
domain assignment service 110, may, in some embodiments, include an
integrity measurement module 112 capable of verifying the integrity
of the agent 114 as it is loaded in memory.
[0015] In various embodiments, except for the teachings of the
embodiments of the present invention incorporated therein,
computing device 102 may be any single- or multi-processor or
processor core central processing unit (CPU) computing system known
in the art. Computing device 102 may be a personal computer (PC), a
workstation, a server, a router, a mainframe, a modular computer
within a blade server or high-density server, a personal digital
assistant (PDA), an entertainment center, a set-top box or a mobile
device. The computing device 102 may be capable operating a
plurality of operating systems of a plurality of virtual machines,
such as virtual machine 106, and of a virtual machine manager 104
using virtualization technologies. If computing device 102 is a
multi-processor or multi-processor core system (not shown in FIG.
1), each virtual machine/virtual machine manager of computing
device 102 may be operated by a processor or processor core
dedicated to that virtual machine/virtual machine manager. In a
single processor or single processor core computing device 102
(such as that illustrated by FIG. 1), the plurality of virtual
machines and virtual machine manager 104 may be operated by the
single processor or processor core (such as processor 116). An
exemplary single-/multi-processor or processor core computing
device 102 is illustrated by FIG. 4, and is described in greater
detail below. Hereinafter, including in the claims, the terms
"processor" and "processor core" shall be used interchangeable,
with each term including the other, unless the context clearly
indicates otherwise.
[0016] In some embodiments, VMM 104 may comprise a service
partition of the computing device 102, managing the actual hardware
resources of device 102, including memory pages, such as the memory
page of agent 114 and the memory page that the instruction is
attempting to access, and coordinating the use of the resources
among the virtual machines computing device 102.
[0017] Virtual machine 106, except for the teachings of embodiments
of the embodiments of the present invention, may be any sort of
virtual machine. Virtual machine 106 may be a self-contained
operating environment that behaves as if it is a separate computer
system. To an outside system coupled to computing device 102
through a networking fabric, virtual machine 106 may appear to be a
separate computing device. Virtual machine 106 may also have an
operating system capable of managing multiple agents, such as agent
114, and may have a protected memory space that operationally
belongs exclusively to virtual machine 106. In one embodiment,
virtual machine 106 may include guest page tables (not shown)
containing mappings between linear addresses and guest physical
addresses. As described above, virtual machine 106 also includes an
agent 114 and is operated by processor 116. Suitable virtual
machines and virtualization technologies include but are not
limited to those available from Microsoft Corporation of Redmond,
Wash., VMware, Inc. of Palo Alto, Calif., and XenSource of
Cambridge, UK.
[0018] As is also illustrated, VMM 104 may include page table 108
structures. In some embodiments, illustrated below by FIG. 3, the
page tables 108 may be organized in a hierarchical manner for
mapping guest physical addresses of virtual machine 106 to host
physical addresses of the computing device 102 and for storing
security domains for memory pages of the computing device 102. For
example, page tables 108 may include base and extended page tables,
providing mappings of linear virtual addresses of virtual machine
106 to guest physical addresses of virtual machine 106, of the
guest physical addresses to host physical addresses of the
computing device 102, and as well as storing security domains for
memory pages of the computing device 102. Page tables 108 may be
updated by the VMM 104 in response to the loading of virtual
machine 106 components, such as agent 114, to add entries for those
components mapping their guest physical addresses to point to host
physical memory pages. Further, the extended page tables 108 may be
referenced by a processor register called the extended page table
pointer (EPTP). The EPTP could contain certain bits making it
capable of marking security domain configuration options. The
various levels of extended page tables may comprise extended page
table entries (EPTEs) capable of storing all or a portion of the
security domain. Since EPTEs may form a multi-level paging
structure, protection domain bits from multiple levels could be
combined to identify protection domains uniquely. Exemplary EPTP
and EPTE structures are described below in greater detail in
reference to FIG. 3.
[0019] In some embodiments, as alluded to earlier, the VMM 104 may
include a security domain assignment service 110 (hereinafter,
assignment service) capable of determining security domains for
agents, associating the determined domains with the memory page or
pages of the agents, and storing the determined domains in the EPTE
structure(s) pointing to the memory page or pages. The assignment
service 110 may assign a unique security domain to each agent and
may assign the same security domain to associated modules of the
same agent or to associated agents. Also, assignment service 110
may assign special security domains to base components of virtual
machine 106 and to legacy applications. Base components, such as
the scheduler, loader, and memory manager may be assigned a
supervisory security domain allowing their instructions to access
memory pages possessing different security domains. In this sense,
the security domains are partially ordered, and some of the
security domains may be more privileged than others (though not
always). Legacy applications may not be assigned a security domain
(or are given a security domain of "0"), and as such, may not
access memory pages having security domains. In various
embodiments, the assignment service 110 may also determine features
associated with the determined security domain, such as whether the
memory page to which the domain is assigned is a hidden memory
page. In one embodiment, described below in reference to FIG. 3,
portions of the security domain may be stored in multiple EPTEs in
a nested fashion. In such embodiments, the assignment service 110
may assign agents from a logical group, such as network drivers, a
portion of the security domain that is the same for each agent, and
a portion that is unique for each agent module, thus allowing for a
logical organization of the assigned security domains. In alternate
embodiments, the assignment service 110 may be a component of a
virtual machine, such as virtual machine 106, rather than a
component of VMM 104.
[0020] In various embodiments, as alluded to earlier, VMM 104 may
also include an integrity measurement module (IMM) 112 capable of
verifying the integrity of agent 114 as the agent 114 is loaded in
virtual machine 106 memory. The IMM 112 may use any method known in
the art to attest to the integrity of the agent 114, such as
cryptographic hashes of memory pages. By verifying the integrity of
agent 114, the IMM 112 may provide an additional layer of security,
allowing the detection of a corruption of agent 114 before even
assigning its security domain. In some embodiments, the computing
device 102 may include an additional virtual machine (not shown),
which may include the IMM 112. In such embodiments, integrity
services (not shown) of the VMM 104 may map copies of the memory
pages of agent 114 into the additional virtual machine for
evaluation by the IMM 112, which may return a verification result
for the agent.
[0021] In various embodiments, as alluded to earlier, virtual
machine 106 may comprise one or more applications, such as agent
114. Agent 114 may be any sort of agent, including a program or
module of a program having instructions needing to access memory
pages of other agents. Such access may be a read or write access,
or a jump or call to transition to the agent stored in the memory
page attempting to be accessed. Agent 114 may be a legitimate (or
infected) agent of the virtual machine 106, or may be a malicious
program, such as a worm or virus. In some embodiments, agent 114
may be one of a number of trusted virtual machine 106 base
components, such as a scheduler, loader, memory manager, or
security domain assignment service 110 (if not implemented by the
VMM 104). Such components may, as described above, be assigned a
special supervisory security domain allowing instructions of the
components 114 to access memory pages having a different security
domain. In other embodiments, agent 114 may be a legacy application
that is not assigned a security domain. As described above, agent
114 may be stored in a memory page of the virtual machine 106 that
is itself associated with a security domain.
[0022] As illustrated, except for the teachings of the embodiments
of the present invention, processor 116 may be any of a variety of
different types of processors, such as a processor in the
Pentium.RTM. Processor Family, the Itanium.RTM. Processor Family,
or other processor families from Intel Corporation, or any other
general purpose or other processor from another company. Processor
116 may execute virtual machine 106 and its agents, virtual machine
manager 104 and its agents, and may include one or more TLBs 118,
with the TLB 118 modified to store security domains of memory
pages, and having associated comparing logic 120, and CSD and PSD
registers 122. TLB 118 may be enhanced to copy the security domains
assigned and stored in page tables 108 for various memory pages by
security domain assignment service 110 of VMM 104. Upon processing
an instruction of agent 114 seeking to access a memory page, memory
management logic of virtual machine 106, VMM 104 and processor 116
may map the linear address referenced by the instruction to a guest
physical address obtained from guest page tables (not shown) of the
virtual machine 106, which may then be mapped by the logic to a
host physical address of the actual memory page referred to by the
linear address of the instruction. The mapping of the guest
physical address to a host physical address may be obtained from
the page tables 108 of VMM 104, which may be extended page tables.
TLBs 118 may be extensively used in this process to cache various
levels of address translation. The logic of processor 116 may then
copy the security domain of the memory page currently stored in CSD
register 122 into PSD register 122, and the security domain of the
memory page being accessed into CSD register 122. The logic 120
further compares the current and previous security domains in the
CSD and PSD registers 122 to determine whether to disallow the
reference/access.
[0023] In various embodiments, TLB 118 may be any translation
lookaside buffer known in the art, with the exception of the
modifications to store the security domains. Additionally, TLB 118
may cache mappings of linear memory addresses referenced by the
instruction to guest physical addresses, and of the guest physical
addresses to host physical addresses pointing to the memory page
the instruction is attempting to references access. The security
domains and mappings of the TLB 118 may be updated by logic of the
processor 116.
[0024] As alluded to earlier, processor 116 may include PSD and CSD
registers 122 and comparing logic 120 to compare the security
domains stored in the PSD and CSD registers 122. The comparison may
be performed according to any known approach. For example, if the
security domains are associated with numerical values, the
comparing logic 120 may determine if the values are the same, if
one or both values are zero (representing no security domain, as
discussed above), or if one or both values are a default value,
such as a maximum, representing a supervisory security domain. The
comparing logic 120 may then use the result obtained by the
comparison to disallow the instruction to reference or access the
memory page. In one embodiment, comparing logic 120 may not
disallow the reference or access when the security domain of the
memory page containing the instruction is the same as the security
domain of the memory page that the instruction is attempting to
reference or access, and may disallow the reference or access when
the security domains are different. Comparing logic 120 may
disallow the reference or access by triggering a page fault
exception.
[0025] Further, comparing logic 120 may determine whether to
disallow the reference or access based on additional criteria. For
example, one security domain (e.g., "0") may represent no security
domain, such that a memory page marked with no security domain may
be accessed by any other page. Also, as mentioned above, an EPTE of
page tables 108 may include a field or bit which defines whether
the page is hidden. The bit may be set to zero to allow any other
page to read from the referenced page, regardless of the result of
the security domain comparison, or set to one to enable comparing
logic 120 to disallow read references or accesses based on the
security domain comparison. In some embodiments, the hidden bit may
be retrieved with the security domain by processor 116 logic and
may be stored in the page tables of the TLB 118. Write references
or accesses may be prevented regardless of the setting of the
hidden bit.
[0026] Also, comparing logic 120 may determine whether to disallow
the reference or access based on instruction control flow. For
example, an instruction may be used to mark allowed entry points to
a program. In an embodiment according to the architecture of the
Pentium.RTM. Processor Family, a new instruction (e.g., a "Directed
Address Vector" or "DAV" instruction) may be added for this
purpose. If a jump or other control flow instruction is executed
from a memory page of one security domain to a DAV instruction in a
memory page of another security domain, the reference or access may
not be disallowed. However, if the jump is to a page of another
security domain, but not to a DAV instruction, the reference or
access may be disallowed. Therefore, the DAV instruction may be
used to allow entry into a program only at an expected point which
may provide a defined, secure interface. Jumps to random or
unexpected sections of a program from a program of another security
domain may be prevented. Finally, the DAV instruction may only be
executed in pages that are executable (e.g., not eXecute Disabled
using the XD bit according to the architecture of the Pentium.RTM.
4 and other Processor Families), assuring that data pages with
spurious bit sequences appearing to be a DAV instruction will not
be executed by the processor 116.
[0027] Furthermore, comparing logic 120 may also enable page fault
reporting to include whether a page fault was caused by a security
domain mismatch or violation. For example, comparing logic 120 in
triggering a page fault, may provide the indication, such that a
bit in a page fault error code (e.g., bit 5 of the page fault error
code pushed onto the stack according to the architecture of the
Pentium.RTM. Processor Family) may be designated as a security
domain violation bit, and be set to one to indicate that the page
fault was triggered by a security domain mismatch. This bit may be
interpreted in the context of other flags. For example, if the
security domain violation was caused by an instruction fetch, an
instruction fetch bit in the error code may be set to one. If the
security domain violation was caused by a read or a write, a
read/write bit may be set to a zero for a read or a one for a
write. Additionally, the linear address of the memory page of agent
114 that caused the fault may be saved, for example in the CR2
control register of a processor according to the architecture of
the Pentium.RTM. Processor Family.
[0028] As illustrated, the memory 124 of computing environment 102
may be any sort of memory device known in the art, except VMM 104,
VM 106, and their components, capable of storing instructions that
may be executed by processor 116. Memory 124 may, in one
embodiment, be partitioned among a number of virtual machines,
including at least VMM 104 and VM 106.
[0029] In summary, security domain assignment service 110 may be
added to assign security domains to memory pages. Page tables 108
and TLB 118 may be enhanced to store the assigned security domains,
and processor 116 may be modified to include PSD and CSD registers
122 to store security domains of current and previous memory pages,
and comparing logic 120 to compare the security domains of the
previous and current memory pages to determine whether to disallow
the reference/access.
[0030] FIG. 2 illustrates a flow chart view of selected operations
of the methods of various embodiments of the present invention. As
is shown, in various embodiments, an integrity measurement module
(IMM) of the computing device may verify the integrity of computing
device agents each time a one of those agents is spawned in memory,
block 202. The IMM may reside in a virtual machine manager (VMM) of
the computing device, or in a virtual machine (VM) of the computing
device that does not include the agent being verified. The IMM may
receive a copy of the memory page including the agent, and may
verify the agent in the manner described above in reference to FIG.
1. Upon verifying the agent, a security domain assignment service
of the VMM may assign security domains to the agents of the VMs of
the computing device, block 204. The assignment service may
associate the assigned security domain with all memory pages
allocated to the agents by storing the security domain in the
corresponding extended page table entry (EPTE) structures of
extended page tables of the VMM, and may set security domain
configuration values, such as the hidden bit described above in the
extended page table pointer (EPTP) structure associated with the
EPTE, which in turn are copied and stored in the TLB, block
206.
[0031] As is further described above, when a processor associated
with a VM of the computing device agents an instruction of an agent
residing in a first memory page of the computing device, the
instruction attempting a reference or access of a second memory
page, logic of the processor may update the security domains of the
previous and current memory pages stored in the PSD and CSD
registers, block 208.
[0032] Once the security domain of the second memory page has been
retrieved and stored, comparing logic of the processor may compare
the security domains stored in the PSD and CSD, block 210. Based at
least partially on the results of the comparison, the comparing
logic may not disallow the instruction to reference or access the
second memory page, block 220, or may disallow the access, block
222. In addition to the comparison of security domains, the
comparing logic may be adapted to perform a number of other tests.
For example, the comparing logic may determine if the security
domain of the first memory page is different from the security
domain of the second memory page, block 212. If the security
domains are the same, the comparing logic may not disallow the
access, block 220. If, on the other hand, the security levels are
different, the comparing logic may further determine if the hidden
bit, mentioned above, is set for the second memory page, block 214.
If the hidden bit is set, the comparing logic may disallow the
access, block 222. However, if the hidden bit is not set, the
comparing logic may further determine whether the attempted access
is a read reference or access, block 216. If the reference or
access is a read reference or access, the comparing logic may not
disallow the access, block 220. On the other hand, if the reference
or access is not a read reference or access, the comparing logic
may determine if the reference or access is a control flow
transition, such as a jump or a call instruction, to an approved
entry point of the second memory page (discussed above as a "DAV
instruction"), block 218. If the instruction is a jump or a call to
an allowed entry point, the comparing logic may not disallow the
instruction, block 220. If the instruction is not a jump or a call,
or is a jump or a call to memory other than an approved entry
point, the comparing logic may disallow the instruction from
referencing or accessing the second memory page, block 222.
[0033] If the instruction has been disallowed from referencing or
accessing the second memory page, the comparing logic may trigger a
page fault, block 224. In some embodiments, the page fault may
include a descriptor of the type of reference or access, and an
address of the first memory page attempting the disallowed
reference or access.
[0034] FIG. 3 illustrates exemplary extended page table structures
adapted to store memory page security domains in a logically
ordered fashion. Shown in the left-most block is an exemplary
Extended Page Table Pointer (EPTP) capable of storing security
domain preferences. The EPTP may be, for example, a 64 bit
structure comprising configuration/permission bits, a physical
address (48 bit field) of a 4 KB memory page that holds 512
Extended Page Table Entries, such as the EPTE blocks shown in the
middle and right series of blocks, and a number of reserved bits.
The reserved bits may be used to indicate whether the memory page
being accessed by the instruction has an assigned security domain,
whether the page is hidden, whether the page is a transition page
(DAV), etc. The EPTE blocks shown in the middle and right may be
EPTE of a memory page pointed to by the EPTP block. The EPTE blocks
may include, for instance, a 40-bit address field which provides
the address of a page frame that is the physical page frame
attempting to be accessed by the instruction, or may instead
provide the address of another memory page including another 512
EPTEs that may be further used for address translation. The EPTE
blocks in the middle that are shown pointing to EPTE blocks on the
right constitute such pointing EPTEs. Also, 10 bits of the EPTE may
be used to store a security domain.
[0035] In some embodiments, the CPU may parse at least two domains
of EPTEs, such as those in the middle and right series of blocks,
to translate the guest physical address of the memory page
attempting to be accessed. Thus, because two EPTEs are associated
with any given page frame, 20 bits may be used for assigning a
security domain to a memory page. Also, because the 10 bits of the
first EPTE may be shared by up to 512 memory page frames, the
security domain assignment service may make use of this artifact to
partition the security domain space in a logical fashion (e.g., all
network drivers sharing the same first ten bits of their security
domains).
[0036] FIG. 4 illustrates an example computer system suitable for
use to practice various embodiments of the present invention. As
shown, computing system 400 includes a number of processors or
processor cores 402 (such as processor 116), and system memory 404
(such as memory 124). For the purpose of this application,
including the claims, the terms "processor" and "processor cores"
may be considered synonymous, unless the context clearly requires
otherwise. Additionally, computing system 400 includes mass storage
devices 406 (such as diskette, hard drive, compact disc read only
memory (CDROM) and so forth), input/output devices 408 (such as
keyboard, cursor control and so forth) and communication interfaces
410 (such as network interface cards, modems and so forth). The
elements are coupled to each other via system bus 412, which
represents one or more buses. In the case of multiple buses, they
are bridged by one or more bus bridges (not shown). In various
embodiments, mass storage devices 406 may be divided into multiple
partitions for use by the virtual machines, with each virtual
machine having exclusive use of the assigned partition.
[0037] Each of these elements performs its conventional functions
known in the art. In particular, processor(s) 402 is (are) enhanced
with the earlier described enhanced TLB, PSD and CSD registers, and
security domain comparison logic. Further, system memory 404 and
mass storage 406 may be employed to store a working copy and a
permanent copy of the programming instructions implementing the
security domain assignment service, the IMM, and so forth, herein
collectively denoted as 422. The instructions 422 may be compiled
from assembler instructions supported by processor(s) 402 or high
domain languages, such as C.
[0038] The permanent copy of the programming instructions may be
placed into permanent storage 406 in the factory, or in the field,
through, for example, a distribution medium (not shown), such as a
compact disc (CD), or through communication interface 410 (from a
distribution server (not shown)).
[0039] The constitution of these elements 402-412 are known, and
accordingly will not be further described.
[0040] Although specific embodiments have been illustrated and
described herein, it will be appreciated by those of ordinary skill
in the art that a wide variety of alternate and/or equivalent
implementations may be substituted for the specific embodiments
shown and described, without departing from the scope of the
embodiments of the present invention. This application is intended
to cover any adaptations or variations of the embodiments discussed
herein. Therefore, it is manifestly intended that the embodiments
of the present invention be limited only by the claims and the
equivalents thereof.
* * * * *